ICT Continuity Plan (DORA)

An ICT continuity plan is a business continuity plan specifically for ICT systems and services. Under DORA, financial entities are required to have documented and tested ICT continuity plans to ensure operational continuity during and after severe ICT disruptions.

Back to Dictionary

What is an ICT continuity plan?

An ICT continuity plan (ICT Business Continuity Plan) is a document describing how the organisation maintains critical ICT functions during a severe disruption and how it restores normal operations as quickly as possible. It is part of the broader business continuity plan but with a specific focus on ICT systems and services.

Under DORA, ICT continuity plans must be more than mere documents – they must be tested, and concrete targets for recovery time and data integrity must be established.

DORA's requirements for ICT continuity

DORA Article 11 sets out the requirements for ICT continuity plans. As a minimum, the plan must address:

Activation procedures: Procedures for activating the plan and the necessary escalation steps.
Backup and restoration: Backup and recovery procedures, including RTO and RPO targets.
Roles and responsibilities: Clear assignment of roles and responsibilities during plan activation.
Communication procedures: Communication protocols for staff, ICT third-party providers and authorities.
Critical service continuity: Procedures to ensure that critical services can be maintained in emergency situations.
Transition to backup systems: Procedures for transitioning to backup systems and locations.

Testing is mandatory and documented: DORA requires financial entities to test their ICT continuity plans at least once a year and after significant changes. Test results must be documented and communicated to senior management.

RTO and RPO targets

A central element of the ICT continuity plan is the establishment of:

RTO (Recovery Time Objective): The maximum acceptable time from when a disruption occurs until the system is restored. E.g. "critical payment systems must be restored within 4 hours."
RPO (Recovery Point Objective): The maximum acceptable data loss point. E.g. "a maximum of 15 minutes' data loss is acceptable for trading systems."

DORA requires these targets to be set and prioritised based on the criticality of the ICT systems in question and the financial services they support.

Frequently Asked Questions about ICT Continuity Plan (DORA)

What is the difference between an ICT continuity plan and an incident response plan?

An ICT continuity plan focuses specifically on maintaining and restoring ICT systems and services during a disruption. An incident response plan focuses on managing and containing a specific incident. Both plans are complementary and should be coordinated.

How often must ICT continuity plans be tested under DORA?

DORA requires financial entities to test their ICT continuity plans at least once per year and after any significant changes to ICT systems or processes. Test results must be documented and reported to senior management.

What are RTO and RPO in the context of DORA?

RTO (Recovery Time Objective) is the maximum acceptable time to restore a system after a disruption. RPO (Recovery Point Objective) is the maximum acceptable amount of data loss measured in time. DORA requires these targets to be established for all critical ICT systems.

Does DORA require separate continuity plans for each critical system?

DORA does not prescribe a single plan per system, but requires that all critical and important ICT systems and services are covered by ICT continuity plans. Organisations may structure their plans as appropriate, provided all critical functions are addressed.

What role does senior management play in ICT continuity under DORA?

Senior management is responsible for approving the ICT continuity plans, ensuring adequate resources are allocated, reviewing test results and overseeing the ongoing effectiveness of continuity arrangements. DORA places direct accountability on the management body.